Europe’s highest court ruled on Thursday that a transatlantic data transfer deal is invalid because of concerns about U.S. surveillance in a decision that could disrupt thousands of companies that rely on the agreement.
The ruling effectively ends the privileged access companies in the United States had to personal data from Europe and puts the country on a similar footing to other nations outside the bloc, meaning data transfers are likely to face closer scrutiny.
The so-called Privacy Shield was set up in 2016 by Washington and Brussels to protect personal data when it is sent to the United States for commercial use after a previous agreement known as Safe Harbour was ruled invalid in 2015.
More than 5,000 companies have signed up to it but the Privacy Shield was challenged in a long-running dispute between Facebook and Austrian privacy activist Max Schrems who has campaigned about the risk of U.S. intelligence agencies accessing data on Europeans.
“In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-U.S. persons,” the Court of Justice of the European Union (CJEU) in Luxembourg said in its ruling, which cannot be appealed.
“It looks perfect,” Schrems said.
“One of the biggest takeaways is that we would need fundamental reform in U.S. surveillance laws if U.S. companies still want to have any kind of decent access to the European market,” he told Reuters TV.
Facebook said it was studying the ruling and looked forward to regulatory guidance on its impact.
“We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure,” Eva Nagle, associate general counsel at Facebook, said in a statement.
Facebook’s lead EU regulator, Ireland’s Data Protection Commissioner Helen Dixon, said assessment would need to be made on a case-by-case basis.
Supervisory authorities across the EU will play a central role in allowing data transfers, and will develop a common position to give practical effect to the judgement, she said.
EU concerns about data transfers have been growing ever since former U.S. intelligence contractor Edward Snowden’s revelations in 2013 of mass U.S. surveillance.
The court is saying that the surveillance regime in the U.S. does not respect the rights of EU citizens and puts U.S. state interests over the interests of individuals, Jonathan Kewley, co-head of technology at law firm Clifford Chance said.
“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying their data standards can be trusted, but those in the U.S. cannot,” he said.
Kewley said the outcome could be that more customer data remains stored in Europe, which is what happened after Safe Harbour was annulled.
The U.S. Department of Commerce said it was “deeply disappointed” and would remain in close contact with the European Commission to try to limit the negative consequences of the ruling.
Judges upheld the validity of another data transfer mechanism known as standard contractual clauses (SCCs).
They are used by thousands of companies including Facebook, industrial giants and carmakers to transfer Europeans’ data around the world for services ranging from cloud infrastructure, data hosting, payroll and finance to marketing.
However, the court stressed that under SCCs, privacy watchdogs must suspend or prohibit transfers outside the EU if data protection in other countries cannot be assured.
Schrems said this meant companies that fall under U.S. surveillance laws, such as Facebook, could not use the clauses to shift data to the United States.
Facebook welcomed the decision on SCCs.
“These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens,” Nagle said.
Schrems said before the ruling that transactions by Europeans such as booking a hotel or hire car in the United States or emailing someone there would not be affected. His concerns centred more on the way personal data is stored.
Microsoft said Thursday’s rulings did not affect its customers ability to transfer data between the EU and the United States using the Microsoft cloud.